Hackers vs Crackers: Key Differences and Why they are Both Extremely Dangerous
Published: 24/03/2021

Hackers vs Crackers: Key Differences and Why they are Both Extremely Dangerous

  • Netacea, Agentless Bot Management

7 minutes read

Poor password hygiene aside, the amount of compromised user credentials that are being sold, traded and shared in online forums, file repositories and the Dark Web is astounding. Of course, regular password rotation, combined with not using the same password across multiple websites and web applications will help, but only a minority of internet users adhere to such practices. For the rest, their accounts are at risk and if you’re an online business, you are responsible. Hackers and crackers are waiting for your mistake.

Hackers vs crackers definition

Hackers and crackers each pose their own unique threats to businesses and site owners but there are key differences between the two.


Hackers are able to identify the threats within a system or site organically, generally using their own skills and tools. Some hackers work ethically and use these skills to identify weaknesses and improve them, though unethical hacking is still a prominent concern for businesses.


Crackers are generally malicious individuals using skills, tools and intelligent software to gain access to systems illegally. Data recovered through these means is often used for exploitative purposes.

Hackers vs crackers – the difference

Wikipedia defines the term hacker as “any skilled computer expert that uses their technical knowledge to overcome a problem”.

Hackers vs crackers – professional hackers with advanced knowledge and skills look down on crackers, thinking of them as less educated versions of themselves. Hackers are very proud of the bespoke hacking tools and utilities they create for their specific attacks and refer to crackers as script kiddies or newbies because they do not create their own attack tools.

Hackers constantly seek out new vulnerabilities to exploit to achieve whatever malicious activity they are performing, versus crackers continue to exploit the same known vulnerability to access user accounts. The vulnerability is known as the Insufficient Anti-Automation Vulnerability, it presents itself when a web application allows the cracker to automate a process that was originally designated only for manual users.

Automated ATO tools used by hackers and crackers

A common method used to gain access to an account is a credential stuffing attack. Easy to use tools like Sentry MBO, OpenBullet or STORM stuff a large number of compromised usernames and password combinations aiming to establish a legitimate match in order to successfully take over an account.

Credential stuffing/cracking tools are extremely effective against standard security devices such as Web Application Firewalls (WAFs), but, arguably more concerning is how easy they are to operate. Even low-tech criminals can profit from automated attacks with little more than a few mouse clicks. This means anyone with intent could take over your customers’ accounts with little to no knowledge of traditional hacking techniques.

Former Facebook CSO Alex Stamos, believes password reuse is the single biggest cybersecurity risk to customers and organizations. He thinks crackers can’t go wrong with a credential stuffing tool as they are free, simple to use, efficient, and extremely effective.

Furthermore, tools such as Sentry MBA, OpenBullet and STORM even have inbuilt capabilities to bypass login form security controls such as IP rate limits and CAPTCHA checks, making it even easier for crackers to take over accounts. There are even services to bypass stronger forms of CAPTCHA at a low price, some using humans to physically pass the check.

Find out how crackers use tools like OpenBullet to launch credential stuffing attacks in a video demonstration with Netacea’s threat research team.

Proactive protection from credential stuffing & ATO attacks

Unfortunately, many organizations can’t distinguish between an automated attack and regular user login activities, some also do not fully appreciate how widespread the problem space is. The Open Web Application Security Project (OWASP) see credential stuffing as one of the most common cyber-attacks and is capable of compromising websites that do not have the traditional security vulnerabilities. Therefore, this puts all at risk; the account owner consumers and the organizations.

While the development of these automated cracking tools cannot be stopped, you can protect your customer accounts and web login forms to reduce the likelihood of ATO from happening to your organisation.

Password rotation and multi-factor authentication

Enforcing a password rotation policy is an effective way to improve security and ensure previously compromised credentials cannot be re-used. Likewise, Two-Factor Authentication (2FA) is an effective defence against attacks. However, such controls are typically only used in personal banking or corporate environments as there are high deployment costs and usability impacts which make them unsuitable for online shopping and gambling customers.

Login history tracking and limiting login attempts

Allowing your applications to store the history of a given user’s addresses, locations, devices, cookies and browsers can help identify compromised accounts. These data-driven insights can also trigger challenges of login requests where the attempt does not match the user’s known data profile.

You can also limit the number of failed login attempts, although even trustworthy customers may need more attempts if they have forgotten a password. Limiting login attempts will not help protect against credential stuffing where the hacker cycles through one email address with one password.

IP and user agent black listing

Many businesses can blacklist IP Addresses and User Agents if malicious behaviour is identified. Unfortunately, crackers have become savvy to this tactic and now rotate IP ranges constantly, even using residential IP proxies to appear as trusted users.

Rate limiting

Monitoring network traffic for spikes in requests from a single IP Address or IP Range can be used to identify simple credential cracking behaviour. However, sometimes these ATO attacks can take the form of a ‘low and slow attack’, with login attempts spanning several days or even weeks, making rate limiting difficult.

Dedicated bot identification & ATO prevention against hackers and crackers

Over 50% of all website traffic is made up of automated traffic. Standard security solutions and practices are no longer robust enough to protect against sophisticated malicious bots and cracking tools.

Dedicated bot management solutions leverage the power of shared intelligence, specialist data scientists, customised rules and machine learning to stay one step ahead. Deploying these solutions will help your business identify and tackle ATO and, protect you against many of the other issues caused by a much wider range of non-human traffic.

Introducing Netacea – the world’s most advanced bot management & ATO solution

Radically different from traditional ‘black box’ solutions, Netacea is an agile and intelligent new layer of security that adapts to changing threats. No matter whether you’re attacked by hackers vs crackers or the other way round, your assets will stay secure.

The Netacea layer of protection should be your first line of defence. It complements existing controls, such as WAF rulesets, rate limiting and threat databases.

It provides deep, actionable analysis of all internet traffic, web reconnaissance, automated bots and legitimate website visitors and manages those journeys accordingly in real time.

Learn more about our behavioural based machine learning for ATO protection, or sign up for a trial to test the Netacea Credential Stuffing Prevention tool on your live site.

Schedule Your Demo

Tired of your website being exploited by malicious malware and bots?

We can help

Subscribe and stay updated

Insightful articles, data-driven research, and more cyber security focussed content to your inbox every week.


By registering, you confirm that you agree to Netacea's privacy policy.